Reconnaissance

This is the first part in my blog series on the Kill Chain where I go deeper into the parts of the Unified model. This part is about the reconnaissance phase.

What is it?

Reconnaissance, is yet another term from the military world, it is “the exploration outside an area occupied by friendly forces to gain information about natural features and other activities in the area” (Wikipedia).

Painting: On Reconnaissance, by Józef Brandt

By using various detection methods you obtain information about the activities and resources of your opponent. The scene is neutral, or could even be within opponent territory, “beyond the front line”. The methods used could be completely legal, questionable, or seen as directly hostile.

In the context of Information Security, reconnaissance is the phase where an attacker gathers information on the target, before an actual attack. Further actions will be determined based on the puzzle that the pieces of information shows.

As my favourite Sun Tzu quote says:

The general who wins the battle makes many calculations in his temple before the battle is fought. The general who loses makes but few calculations beforehand.

Photo: Hsuan Hua meditating in the Lotus Position. Hong Kong, 1953

Maybe the target is selected beforehand and the aim of the reconnaissance is to determine which type of attack that would be most efficient or inexpensive? Or maybe you are looking for a target that fits an already prepared attack scenario and gathers information about many possible targets to filter out the ‘weak ones’?

This is mainly a planning phase, where you conduct research to understand how to meet your objective.

Passive vs Active

There is a difference though in active and passive reconnaissance.

Passive reconnaissance is abut gaining information without engaging directly with the target, going after metadata and what is public, while in active reconnaissance the attacker is actively engaged with the target system.

The distinction works for two criteria. One is about the risk of getting discovered, this is usually bigger if you engage with the target. Reading a sysadmins social media posts on the other hand will not set of any alarms, but could show to give the missing piece. When engaged, presume that who you are and what you are doing may be seen or discovered later.

The distinction also mostly overlaps with what is legal. Gathering intelligence in open sources (OSINT) is not illegal in most countries. But poking around in internal documentation you should not have access to is. And so are most interactions with a network you don’t own or have the permission to use.

There is a grey area in the sense that you for example could increase your usage of the target system and make it look like legitimate usage, within reasonable usage levels, while your real intent is to make the system give you a piece of information that it never was intended for you to get hold of.

Examples

For the example of a website:

Passive

  • Passively spider the website
  • Scrape for subdomains
  • Download website content and review the code
  • Use search engines (Google Dorks) and web archives
  • Inspect cookies, and token sessions
  • Search on any names you got hold of from website and emails
  • Identify the technology used

Active

  • Sending various crafted input strings
  • Dumpster diving
  • Do a port scan on the web server
  • Map out the network
  • Send an email you know will bounce
  • Fiddle with security mechanics
  • Active spidering and automated scanners
  • Usage of password-guessing tool

Measures

From a defender point of view it might be difficult to detect reconnaissance as it happens. But when you do discover enemy recon, even after the fact, it can reveal the intent of the attacker and thus could be useful.

Since there should be a ROI on every security measure taken, then it is up to you and your threat model, risk management etc on what to do. But here are some things one could do.

Detect

  • Have anomaly detection on security relevant metrics and logs, including user behavior.
  • Use honeypots as a way to learn about current threats and attack patterns.
  • Cover more “outside” threat data for your threat intelligence. For example monitor the Dark web.
  • Ensure your intrusion detection system recognize behaviors unique to reconnaissance.
  • Use trends from these reconnaissance patterns to guide your defensive stance.

Imagine that you already had been attacked. What information would you need in order to understand the mission objectives of that attacker? Ensure you will receive this information, and as always, test it out.

Defend

  • Proper firewall settings
  • Proper network segmentation
  • Access determined by proven access control measures

Deceive

Resources

First a warning. Using automated tools like scanners may cause noise in logs and monitoring at the target side. Also be aware to use them with precaution and ensure correct configuration since they may, in worst case, cause destruction of data. For example, an application may contain administrative functionality that deletes users.

Tools

Nmap: utility for network discovery and security auditing

Recon-ng: web reconnaissance framework

Nikto: web server scanner

SimplyEmail: email reconnaissance

Burp Suite: interception proxy and scanner

OWASP ZAP; interception proxy and scanner

Web

Awesome OSINT: a curated list of amazingly awesome OSINT

The OSINT framework: OSINT framework with list of resources

Bellingcat’s Online Investigation Toolkit: resources used by OSINT journalists at Bellingcat

Shodan: search engine of internet-connected computers

Censys: alternative to Shodan, “Find and monitor every server on the Internet”.

Security Headers: check what web security headers site has configured

Qualys SSL Server Test: analyze website certificates